At 12:46 AM 4/29/03 -0400, Ken Hirsch wrote:
From: "Vernon Schryver" <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com>
I advocate the use of SMTP-TLS, but it has a major defect for
authenticating mail. It only authenticates one MTA to another, or
in some cases an MUA to an MTA or an MTA to an MUA. It does not
authenticate the sender of the mail message itself.
And that is all that is necessary.
I don't think that authenticating the actual sender is practical.
In order for sender authentication to be common it has to be
inexpensive and convenient.
I think it depends on what you mean by "authenticating".
If, for example, you wanted to assure that MAIL
FROM:<sender(_at_)example(_dot_)com>
was really from someone who could read email sent to
sender(_at_)example(_dot_)com,
then all you need to do is send an authentication token to
sender(_at_)example(_dot_)com
and require they use it in all future emails. Simple Challenge/response
via email.
Hmm... you might even be able to layer that on top of the existing
SMTP protocol with something similar to the TMDA method by placing
the tokens in the to and return addresses, i.e.
MAIL FROM:<sender+sender-to-receiver-auth-token(_at_)example(_dot_)com>
RCPT TO:<receiver+receiver-to-sender-auth-token(_at_)example(_dot_)com>
I'll have to think about that some more.
... Instead of an MTA blacklist, you have an MTA whitelist.
Aren't both kinds of lists logically equivalent?
Why is "not on blacklist" different from "on whitelist"?
Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg